tetragon

1
// SPDX-License-Identifier: Apache-2.0
2
// Copyright Authors of Cilium
3

4
package filters
5

6
import (
7
	"context"
8

9
	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
10
	hubbleFilters "github.com/cilium/cilium/pkg/hubble/filters"
11
	"github.com/cilium/tetragon/api/v1/tetragon"
12
	"github.com/cilium/tetragon/pkg/logger"
13
)
14

15
// We could use an LRU here but we really don't want to evict old entries and risk failing
16
// a test that uses this filter. Instead, we take the safer approach from the perspective
17
// of testing and opt to grow the map indefinitely and log a warning if the size exceeeds
18
// a pre-determined threshold. Since we have protections in place to prevent this filter
19
// being used in production, this should be acceptable.
20
type ChildCache = map[uint32]struct{}
21

22
func checkPidSetMembership(pid uint32, pidSet []uint32, childCache ChildCache) bool {
23
	// Check the original pidSet. The reason for doing this separately is that we never
24
	// want to drop the original pidSet from the cache. Keeping this separately in a slice
25
	// is an easy way to achieve this.
26
	for _, p := range pidSet {
27
		if pid == p {
28
			return true
29
		}
30
	}
31
	// Fall back to childCache to check children.
32
	_, ok := childCache[pid]
33
	return ok
34
}
35

36
func doFilterByPidSet(ev *v1.Event, pidSet []uint32, childCache ChildCache, childCacheWarning *int) bool {
37
	process := GetProcess(ev)
38
	if process == nil {
39
		return false
40
	}
41

42
	// Check the process against our cache
43
	pid := process.Pid.GetValue()
44
	if checkPidSetMembership(pid, pidSet, childCache) {
45
		return true
46
	}
47

48
	parent := GetParent(ev)
49
	if parent == nil {
50
		return false
51
	}
52

53
	// Check the parent against our cache
54
	ppid := parent.Pid.GetValue()
55
	if checkPidSetMembership(ppid, pidSet, childCache) {
56
		// Add our own PID to the children cache so that we can match our future children.
57
		childCache[pid] = struct{}{}
58
		// If we exceeded the pre-determined warning limit, log a warning message and
59
		// double it.
60
		if len(childCache) == *childCacheWarning {
61
			logger.GetLogger().Warnf("pidSet filter cache has exceeded %d entries. To prevent excess memory usage, consider disabling it.", childCacheWarning)
62
			*childCacheWarning *= 2
63
		}
64
		return true
65
	}
66

67
	// No matches, return false
68
	return false
69
}
70

71
func filterByPidSet(pidSet []uint32, childCache ChildCache, childCacheWarning int) hubbleFilters.FilterFunc {
72
	return func(ev *v1.Event) bool {
73
		return doFilterByPidSet(ev, pidSet, childCache, &childCacheWarning)
74
	}
75
}
76

77
// PidSetFilter is a filter that matches on a process and all of its children by their
78
// PID, up to maxChildCacheSize number of children.
79
type PidSetFilter struct{}
80

81
func (f *PidSetFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]hubbleFilters.FilterFunc, error) {
82
	var fs []hubbleFilters.FilterFunc
83
	if ff.PidSet != nil {
84
		childCache := make(ChildCache)
85
		childCacheWarning := 8192
86

87
		pidSet := ff.PidSet
88
		fs = append(fs, filterByPidSet(pidSet, childCache, childCacheWarning))
89
	}
90
	return fs, nil
91
}
92